9.4. Restrict console messages

9.4.1. Restrict console messages from the system log

Generating a stready stream of console messages can easily overwhelm a 9600bps link.

Although displaying all syslog messages on the console appears to be a good idea, this actually provides the unprivileged user a simple method to deny effective use of the remote console.

Configure system log messages to the console to the bare minimum. Look in /etc/syslog.conf for lines ending with /dev/console.

Consider sending all log messages to another machine for recording and analysis. Figure 9-2 shows the standard /etc/syslog.conf from Red Hat Linux7.2 modified to record log messages to a log server. Each line of syslog.conf has been repeated to send a copy of the message to the log server. The log server has the DNS alias loghost.example.edu.au; using a DNS alias allows the log server to be moved without updating the configuration of all the remote machines. The local copy of the log message is no longer the only means of determining the cause of a system failure, so we can gain some performance advantage by disabling synchronous file writes, although this increases the odds of an inconsistent filesystem (an issue with filesystems that do not do journalling). Placing a - before the filename disables synchronous file writes.

A log server is configured using the standard /etc/syslog.conf configured to allow the reception of remote syslog messages. This configuration for Red Hat Linux is shown in Figure 9-3. In addition to configuring the system log daemon, also prevent denial of service attacks by configuring IP Tables to restrict the sources of the syslog messages; and also improve performance by checking that nscd is running to cache reverse DNS lookups.